Cisco WLC MAC Filtering Integration with ISE and 802.1x

michailkopsiaftis · ‎09-10-2021

Hi,

I want to perform authentication on a new SSID based on the MAC address of the device and then give access to the user based on the policy that i have create on Cisco ISE.

Can you please tell me if i can perform such a solution and how i can do it on ISE;

Ι have already create the new SSID with the Mac Filtering enabled.

Thank you.

howon · ‎09-10-2021

Since MAC address doesn't provide user identity behind the device there needs to be a way to tie the MAC to a user to be able to assign policy based on the user. This can be done with WebAuth with device registration where upon logging in to a portal page, the MAC address of the client device is added to a certain endpoint group. Then policy can be applied to the endpoint group.

michailkopsiaftis · ‎09-10-2021

Thank you howon for your solution. Because they do not want the WebAuth from my company for these users, i will try to do it by enabling the Mac Address filtering into the SSID. Then i will create the binding between the Mac Address and an IP from the Vlan for which i have already create a policy to ISE. Finally i will use the Identity Awareness on my firewall in order to permit specific users.

So at the end i suppose that through this way i will manage to control both a limited number of mac address and a limited number of users.

Do you think that this solution will work;

Nadia Bbz · ‎09-12-2021

Hi ;

i performed authentication into wireless using both ( mac address + dot1x ) it's work as well, for this you need to create

Endpoint Identity Groups in cisco ise and put in the list of address mac after that you change your rule policy by adding the group